Rails 2.0 introduced an authenticity_token that has to be passed on mutating/deleting (i.e. not GET) requests when protect_from_forgery is enabled for an action. Having to remember to set the authenticity_token as a parameter for all ajax requests is rather error prone. In my opinion, it would be preferrable to have a way to set default parameters globally, or even provide special treatment for the authenticity_token. Incidentally, the scriptaculous autocompleter collides with the CSRF protection as it by default uses POST. See <http://dev.rubyonrails.org/ticket/10700>. Michael -- Michael Schuerig mailto:michael-q5aiKMLteq4b1SvskN2V4Q@public.gmane.org http://www.schuerig.de/michael/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Spinoffs" group. To post to this group, send email to rubyonrails-spinoffs-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-spinoffs-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-spinoffs?hl=en -~----------~----~----~----~------~----~------~--~---